BreachExchange mailing list archives

Re: rant: Abandon Ship! Data Loss Ahoy!

From: "Manny Cho" <Msc () vrtinsurance com>
Date: Thu, 20 Mar 2008 18:42:43 -0700

I agree with Sanford in that this incident (and all of the other loss notices that post every day to this site) is 
indicative of the fact that the idea of "one solution" or one perfect product is just not a reality today.  

 

I do believe that companies are trying to do the right thing and are investing the dollars as best as they can to 
comply with the myriad of privacy and regulatory guidelines (PCI, CISSP, HIPAA, GLB, SOX, etc) that govern their day to 
day business practices. Unfortunately, what the best security product / service can not eliminate is the system user 
(i.e. the human factor) - which would also include the use of independent contractors where we believe a lot of 
vulnerabilities exist - and this is why we feel that True Privacy / Security for any company requires IT, Human 
Resources, Finance, Legal and finally insurance to work together and implement data security best practices to protect 
the data, train and update their employees and set up contingencies (that include p.r., legal notices and insurance) to 
respond to an event.

 

What can/will be implemented by each company is a function of time, money and resources. Having seen a number of 
companies go through these incidents, I can say that those companies that are more proactive in their data risk 
management have reduced their potential third party liabilities and helped to maintain customer / client loyalty.  

 

The final piece of the puzzle is the insurance component - most commonly referred to as Cyber Liability and/or Security 
and Privacy Liability.  In the U.S., there are a number of carriers (10+) providing coverage that can respond to third 
party individual and class action suits for breach of privacy.  Many policies will also respond to administrative and 
regulatory actions for defense costs and fines and penalties.  Some will also provide coverage for your expenses - 
p.r., forensics, extra expense, third party monitoring services - due to the event.  Like software, each carrier has 
subtle nuances to their program, your broker should work with you to develop the right program to fit your individual 
risk profile.

 

Manny

manny () vrtinsurance com

www.vrtinsurance.com <http://www.vrtinsurance.com/>  - Vantage, Resolve and Trust

 

 

 

________________________________

From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of macadamiamac
Sent: Thursday, March 20, 2008 6:15 PM
To: Sasha Romanosky
Cc: dataloss () attrition org
Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!

 

        A Qualsys (a good system) - or equivalent installation, insurance and whatever other components a business may 
implement to protect its PII data is not a set it and forget it  procedure. Kryptonite proof it ain't. No system is 
100% immune from all risk.

        A savvy CTSO, with the cooperation and support of senior management will implement all of the components: 
training its personnel, hard and software firewalls, changing passwords periodically, encrypting data in use, purging 
data no longer needed, periodic random testing of the system, and whatever else to reduce risk of data loss - internal 
and external.

        An even smarter management team will have all of the foregoing incorporated into its culture and have on deck 
1)a breach management plan; 2)notification and PR templates; 3) a recovery plan; and, 4) a re$erve or insurance.

 

        There are federal regulations - [see FTC 12 CFR § 315 et. seq. of the FACT Act], becoming effective in November 
2008 that mandate that financial institutions, their providers and anyone else who deals with consumer credit (and the 
PII data necessary to conduct their business), implement a host of must dos or face penalties.

 

        A not in compliance business that suffers a breach will be subject to:

        * Civil Liability - Actual damages sustained if identity is stolen as a result of corporate inaction or 
statutory damages up to $1,000 per affected individual;

        * Class-Action Lawsuits - If large numbers of individuals are affected, they may be able to bring class-action 
suits and get punitive damages; 

        * Federal Fines - Up to $2,500 for each violation; and 

        * State Fines - Up to $1,000 for each violation depending upon jurisdiction.

 

        So maybe a little insurance isn't such a bad idea, n'est pas?

 

Sanford Lung

Honolulu  (yes, there are ID fraudsters in paradise)

http://www.identitysafeguards.com

 

________________________________

 

 

        Whoops, wrote too soon:
        
        http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1306207,
        00.html
        (Thanks to a student post for pointing this out.)
        
        
        > -----Original Message-----
        > From: Sasha Romanosky [mailto:sromanos () andrew cmu edu]
        > Sent: Thursday, March 20, 2008 6:27 PM
        > To: 'dataloss () attrition org'
        > Subject: RE: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!
        >
        >
        > To my knowledge, this firm in Canada is the one that offers
        > data breach insurance:
        >
        > From SANS NewsBites Vol. 10 Num. 22:
        > --Canadian Firm to Offer Data Breach Insurance (March 13,
        > 2008) As data security breaches appear more and more
        > frequently in the news, at least one Canadian insurance
        > company is starting to offer a product that would cover costs
        > incurred by companies when they have suffered a data privacy
        > breach. The policy would cover the cost of fixing computer
        > damage as well as costs associated with customer notification
        > and reimbursement and compensation paid to credit card
        > companies for losses from fraud. The coverage is structured
        > to address Canadian data privacy laws.
        > http://www.theglobeandmail.com/servlet/story/LAC.20080313.RINS
        > URANCE13/TPStory/Business
        >
        > [Editor's Note (Schultz): Insurance against security
        > incidents in general has not caught on all that well in the
        > information security arena for a number of reasons. However,
        > this new type of insurance is likely to fare much better
        > because of the widespread concern about and high likelihood
        > of data security breaches.]
        >
        > cheers,
        > sasha
        > www.romanosky.net
        >
        > > -----Original Message-----
        > > From: dataloss-bounces () attrition org
        > > [mailto:dataloss-bounces () attrition org] On Behalf Of Kevin McPoyle
        > > Sent: Thursday, March 20, 2008 6:00 PM
        > > To: Chris Walsh; Tracy Blackmore
        > > Cc: dataloss () attrition org
        > > Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!
        > >
        > > What I find interesting is the recognition among the readers and
        > > pundits that this is an imperfect world with respect to security. 

        > > With that in mind, I'm unclear as to why organizations
        > don't transfer
        > > a portion of this risk to others through an insurance product?  It
        > > seems rational and clearly represents some mitigating of a scenario
        > > that will happen, not if, when.  Policies are readily available,
        > > negotiable and clearly a deal compared to other costs.  No
        > one like to
        > > "waste" money on insurance...until there is a claim.  The
        > supermarket
        > > had D&O with which to fend off the legal dogs.
        > > Why don't they have a "cyber" policy?
        > > Whose making these good decisions?
        > >
        > > -----Original Message-----
        > > From: dataloss-bounces () attrition org
        > > [mailto:dataloss-bounces () attrition org] On Behalf Of Chris Walsh
        > > Sent: Thursday, March 20, 2008 5:49 PM
        > > To: Tracy Blackmore
        > > Cc: dataloss () attrition org
        > > Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!
        > >
        > > IANAL, but this question of "due diligence" and comparing
        > oneself to
        > > one's competitors begs the question -- what harm (in the
        > legal sense)
        > > has been done here to anyone whose CC or debit card # was revealed?
        > > Does your answer vary depending on whether there was fraud
        > associated
        > > with that card #?
        > >
        > >
        > > _______________________________________________
        > > Dataloss Mailing List (dataloss () attrition org)
        > > http://attrition.org/dataloss
        > >
        > > Tenable Network Security offers data leakage and compliance
        > > monitoring solutions for large and small networks. Scan your
        > > network and monitor your traffic to find the data needing
        > > protection before it leaks out!
        > > http://www.tenablesecurity.com/products/compliance.shtml
        > > _______________________________________________
        > > Dataloss Mailing List (dataloss () attrition org)
        > > http://attrition.org/dataloss
        > >
        > > Tenable Network Security offers data leakage and compliance
        > > monitoring solutions for large and small networks. Scan your
        > > network and monitor your traffic to find the data needing
        > > protection before it leaks out!
        > > http://www.tenablesecurity.com/products/compliance.shtml
        > >
        > >
        
        _______________________________________________
        Dataloss Mailing List (dataloss () attrition org)
        http://attrition.org/dataloss
        
        Tenable Network Security offers data leakage and compliance monitoring
        solutions for large and small networks. Scan your network and monitor your
        traffic to find the data needing protection before it leaks out!
        http://www.tenablesecurity.com/products/compliance.shtml

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

Current thread:

Re: rant: Abandon Ship! Data Loss Ahoy!, (continued)
- - - Re: rant: Abandon Ship! Data Loss Ahoy! Adam Shostack (Mar 20)
    - Re: rant: Abandon Ship! Data Loss Ahoy! Tracy Blackmore (Mar 20)
    - Re: rant: Abandon Ship! Data Loss Ahoy! Chris Walsh (Mar 20)
    - Re: rant: Abandon Ship! Data Loss Ahoy! Kevin McPoyle (Mar 20)
    - Re: rant: Abandon Ship! Data Loss Ahoy! Eric Nelson (Mar 20)
    - Re: rant: Abandon Ship! Data Loss Ahoy! Kim Zelonis (Mar 19)
  - Re: rant: Abandon Ship! Data Loss Ahoy! Jackson, Ben (ITD) (Mar 19)
    - Re: rant: Abandon Ship! Data Loss Ahoy! Jamie C. Pole (Mar 19)
- Re: rant: Abandon Ship! Data Loss Ahoy! Sasha Romanosky (Mar 20)
  - Re: rant: Abandon Ship! Data Loss Ahoy! macadamiamac (Mar 20)
    - Re: rant: Abandon Ship! Data Loss Ahoy! Manny Cho (Mar 20)
    - Re: rant: Abandon Ship! Data Loss Ahoy! James Ritchie, CISA, QSA (Mar 20)
    - Re: rant: Abandon Ship! Data Loss Ahoy! Al Mac Wheel (Mar 21)
    - Re: rant: Abandon Ship! Data Loss Ahoy! James Ritchie, CISA, QSA (Mar 21)
- Re: rant: Abandon Ship! Data Loss Ahoy! *Hobbit* (Mar 22)
  - Re: rant: Abandon Ship! Data Loss Ahoy! lyger (Mar 22)